CVE-2022-23516 (loofah): Uncontrolled Recursion in Loofah

Uncontrolled Recursion in Loofah

Published: December 13, 2022

SECURITY IDENTIFIERS

CVE: CVE-2022-23516 (NVD)
GHSA: GHSA-3x8r-x6xp-q4vm
Vendor Advisory: https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm

GEM

loofah

SEVERITY

CVSS v3.x: 7.5 (High)

UNAFFECTED VERSIONS

< 2.2.0

PATCHED VERSIONS

>= 2.19.1

DESCRIPTION

Summary

Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.

https://cwe.mitre.org/data/definitions/674.html

RubySec